After the retention period or when the data medium is decommissioned, lost or repurposed, organisation data is deleted.
End users receive sufficient warning before data is deleted.
Specification
Deletion of data takes place according to NIST Guidelines for Media Sanitization: https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final, depending on the sensitivity of the data:
- Low / 1. Medium: level Clear or higher
- High: Purge or higher
Purging of sensitive data mediums is done by a trusted supplier. Certificates of destruction must be available for the destruction of highly sensitive data.
Destruction of encryption keys is considered equivalent to data purging.
ISO 27001 & 27002:2022
A5.33,
A5.34,
A7.10,
A7.14,
A8.10,
A8.13
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
DM.04 inrichting van opslag en retentie
DM.06 Verwijderen van data